Data Security Tips for Small Businesses
It is a common misperception that data thieves only target large, well known organizations. The fact is, smaller companies, because of their perceived lack of resources and technical sophistication, are often targeted by cyber criminals. Many industry studies have suggested that over 80 percent of identified compromises of cardholder data (credit, debit card data) involve small merchants. While larger companies often make headlines, dozens of smaller companies are victimized for every large or well-known company that suffers a data compromise.
A Sound data security plan is built on 5 key principles:
- Take Stock. Know what personal information you have in your files and on your computers.
- Scale Down. Keep only what you need for your business. (ProPay advocates, Remove the data, Remove the risk®. And, through its ProtectPay solution, in most cases can eliminate the need for a company, large or small, to store sensitive payment data including credit/debit cards and ACH payment data. For small businesses, this can be done for as little as $20.00 per year).
- Lock It. Protect the information that you keep.
- Pitch It. Properly dispose of what you no longer need.
- Plan Ahead. Create a plan to respond to security incidents.
How is your business doing when it comes to data security? The publication above also included a Security Check Q&A. Below are some questions you should ask yourself and associate guidelines.
Identity Theft Q&A for Small Businesses
Q: Are there laws that require my company to keep sensitive data secure?
A: Yes. While you’re taking stock of the data in your files, take stock of the law, too. Statutes like the Gramm-Leach-Bailey Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information. Certainly, if you’re storing, transmitting or processing credit/debit card data, you fall under the Payment Card Industry Data Security Standard (PCI DSS) regulations.
Q: We like to have information about our customers, so we usually create a permanent file about all aspects of their transactions, including the information we collect from the magnetic stripe on their credit cards. Could this put their information at risk?
A: Yes. Keep sensitive data in your system only as long as you have a business reason to have it. Once that business need is over, properly dispose of it. If it’s not in your system, it can’t be stolen by hackers. (Again, ProPay would advocate a solution such as ProtectPay where the need to store sensitive payment data can be eliminated.)
Q: We encrypt financial data consumers submit on our website. But once we receive it, we decrypt it and email it over the Internet to our branch offices in regular text. Is there a safer practice?
A: Yes. Regular email is not a secure method for sending sensitive data. The better practice is to encrypt any transmission that contains information that could be used by fraudsters or ID thieves.
Q: Our account staff needs access to our database of customer financial information. To make it easier to remember, we just use our company name as a password. Could that create a security problem?
A: Yes. To make it harder for hackers to crack your system, select strong passwords—the longer, the better—that use a combination of letters, symbols, and numbers. And, change passwords often.
Q: I own a small business. Aren’t these precautions going to cost me a mint to implement?
A: No. There’s no one-size fits all approach to data security, and what’s right for you depends on the nature of your business and the kind of information you collect from your customers. Some of the most effective security measures—using strong passwords, locking up sensitive paperwork, training your office staff, etc.—will cost you next to nothing and you’ll find free or low-cost security tools at non-profit websites dedicated to data security. Furthermore, it’s cheaper in the long run to invest in better data security than to lose the goodwill of your customers, defend yourself in legal actions, and face other possible consequences of a data breach.